ipfw icmp unreach code response limiting

From: Haesu (haesu_at_towardex.com)
Date: 10/10/03

  • Next message: PsYxAkIaS (FreeBSD): "Harddisk Problem" 
    Date: Thu, 9 Oct 2003 19:29:09 -0400
To: freebsd-isp@freebsd.org

    Hi,

    By using the 'unreach <icmp code>' with ipfw, the system will drop the packet, but at the same time respond to the source with ICMP unreachable message via selected <icmp code>.

    Is there anyway to "rate-limit" the amount of ICMP unreach messages ipfw generates? For example, on Cisco 'ip icmp rate-limit unreach <miliseconds>' would limit the number of icmp unreachable messages generated from the router to once every <miliseconds>.

    What I am trying to do is, I've setup backscatter traceback technique on bunch of freebsd routers on a network using IBGP distributed blackhole method. For easier backscatter trace-back operation, I need ICMP unreachable messages responding from the router, whenever a packet routes into discard interface. On Cisco, packets routed to Null0 interface is an invalid adjacency (under cef), therefore causes a drop+unreach message. (More info about backscatter technique is at http://www.secsup.org/Tracking/)

    What I setup on my FreeBSD routers is, I have discard interface (ds0, or rather pseudo-device disc) setup. Any packets routed to ds0 will result in unreachable message by ipfw using following rule:

    ipfw add 1 unreach filter-prohib all from any to any out via ds0

    And this works great, exactly the same behaviour on Cisco&Juniper when a packet is routed to Null0/discard. The only thing is, I'd like to limit the number of unreach filter-prohib messages ipfw generates back to the source to x amount of packets per second.

    sysctl has net.inet.icmp.icmplim which is exactly what I need, except that ipfw processes the packet _before_ it hits the routing stack, so sysctl value is futile to ipfw's unreach behaviour.

    Thanks for any comments/ideas :)

    -hc 

    -- 
Haesu C.
TowardEX Technologies, Inc.
Consulting, colocation, web hosting, network design and implementation
http://www.towardex.com | haesu@towardex.com
Cell: (978)394-2867     | Office: (978)263-3399 Ext. 170
Fax: (978)263-0033      | POC: HAESU-ARIN
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
  • Next message: PsYxAkIaS (FreeBSD): "Harddisk Problem"